Hacker News new | comments | ask | show | jobs | submit login
Zerocoin implementation bug (zcoin.io)
148 points by marksamman on Feb 17, 2017 | hide | past | web | favorite | 134 comments

The current market cap of Zcoin is 1,538 BTC [0], so this person created 1/4 of all the coins in circulation (410 BTC), and these guys are saying: "We knew we were being attacked when we saw that the total mint transactions did not match up with the total spend transactions". It took them way too long to realize that they were being outsmarted.

EDIT: u/aftbit also posted this on the thread: "They even cited the ability to detect hacks like this as a key advantage over Zcash. [1]"

[0] https://coinmarketcap.com/currencies/zcoin/

[1] http://blog.zcoin.tech/zcoin-and-zcash/

Well yes, they were not wrong to cite the ability to detect hacks like this as a feature over zcash. This same class of error could exist in zcash and we would never know. We know it happened here because of the ability to audit.

You are completely right, I hadn't considered that. This is what Zcash has to say about it:

Since the value sent between shielded addresses is private, how can we determine the number ZEC in circulation?

Currently, we know that every miner validates every transaction, and each transaction comes with a zero-knowledge proof that it doesn't violate conservation-of-money (i.e. a proof that the money coming out of the transaction is ≤ the money going into the transaction).

This reasoning depends on the soundness of the zero-knowledge proofs. If someone could get the miners to accept a transaction that created new money — if you could somehow forge a zero-knowledge proof or defeat the zero-knowledge-proof-verifier software in the miners — then you could counterfeit money.

We are investigating options for the future which would enable accounting for all ZEC in existance(sic). Stay tuned to our blog for any proposals on this matter.


This type of challenge is implicit in any cryptocurrency with strong confidentiality (i.e. which conceals the amount being transferred from public view) unless you trust the "inputs-equal-outputs" proving mechanism (which, in Zcash's case, is the zk-SNARK that accompanies a shielded transaction).

One potential solution is to periodically require that all coins be unshielded (i.e. sent to a t-address) and passed through a turnstile mechanism (thus allowing them to be counted). After a reasonable amount of time, a new consensus rule kicks in that prevents coins from being spent unless/until they've been put through the turnstile. That would effectively allow for a full audit of the monetary base without compromising privacy.

What? This is totally incorrect. It is perfectly possible to build systems that verify total issuance while concealing amounts. Blockstream's Confidential Transactions does this, for example.

So you trust Pedersen commitments and range proofs to prove that the inputs to a Confidential Transaction equals its outputs?

As much as the elliptic curve discrete logarithm problem can be trusted to be intractable, yes. For which bitcoin has some billion dollar in bounties:-)

The crypto used in Confidential Transactions, or any implementation of it, does not only rely on ECDLP. There's plenty of scope for potential protocol or implementation errors. (The Zcoin issue, remember, is an implementation error.)

The CRYPTO relies only on ECDLP. That word, as it is usually used as a term of art, indicates the underlying mathematical assumptions. to say "it does not only rely on ECDLP" is to indicate that there are other trusted mathematical security assumptions, such as harness of EC pairing or the knapsack problem. This is not the case with confidential transactions, whose Pedersen commitments and Back-Maxwell rangeproofs rely on the exact same cryptographic assumptions as any bitcoin signature. It even uses the same library to create and check these commitments, with a minimal amount of new code.

Is there scope for new implementation errors? Yes, but only in the fully generic sense of it involving _some_ new code. Anything that is different involves changes, and any change brings the possibility of an implementation error. However Blockstream has tried to keep confidential transactions as close to the underlying bitcoin code base as possible to minimize that error, and unlike other solutions CT has been subject to academic review and external security audit.

I'm not aware of any proof that Borromean signatures, relied on by CT, are secure assuming only ECDLP. There is certainly no such proof in the paper https://github.com/Blockstream/borromean_paper/blob/master/b... .

[Edit: updated paper link to the most recent version, which still doesn't have any proofs.]

As does Monero's RingCT, which is based on Blockstream's Confidential Transactions.

Obviously there are implementation risks, but in terms of cryptographic risk you are correct.

Smells like the original Jurassic Park!

But at the insistence of Malcolm, Arnold tries different ways of counting the animals on the computer. The count reveals that there are 292 animals in the park, much higher than the official figure of 238. Malcolm concludes that the animals, including the deadly velociraptor, are breeding. Wu cannot believe it, because all the dinosaurs are female. http://www.novelguide.com/jurassic-park/summaries/iteration3

Or alternatively, the developers designed this hard-to-find typo/bug years ago and have now just quietly cashed out.

Seems very unlikely since it would inevitably cause many to lose faith in the currency. If they really want to cash out, they can just do what almost every other upstart cryptocurrency founder does and make it clear they're taking some of the pie.

If they just want out, the things that happen to the currency don't matter to them - they're already gone.

That's true, but if this was the epic exit scam they were planning for so many years, it's a bit disappointing.

410 BTC is half a million dollars.

True, but many of these currency founders are looking for millions.

Not saying it's impossible this is a scam, but I still doubt it.

You're assuming the one who introduced the bug was a founder with the ability to do that.

That's the assumption the parent poster made, not me.

Uh, no it's not. You're the one that mentioned founders. The parent poster just mentioned developers.

He said "the developers" and "years ago", implying the founders.

Making a currency is already a gold mine. Mine the first 100k coins and hide them for 5 years.

Let me get this straight. Zerocoin has a bug, money gets stolen, the bug is fixed. Everyone in the comments lose their shit and call doom and gloom for all cryptocurrencies. The experiment is failed, centralization was right all along!

Meanwhile, centralized systems like credit cards are stolen en masse, identity theft abounds, anybody can file your taxes with the IRS and collect your refund, and an ACH can be initiated against your bank account using all the information helpfully printed on every check you hand to strangers... and no one bats an eye?

I don't get it.

Stating the obvious here, but...

Fiat financial security is based on monitoring, paper trails, and legal consequences for fraud. Yes, you can initiate a fraudulent ACH knowing only the numbers printed on a check you received, but you'll probably end up in jail for it. It's far from perfect but it mostly works.

Cryptocurrency intentionally doesn't have any paper trails. Anonymity is the selling point. If you find a bug in the code and exploit it, the anonymity protects you and you likely won't be caught. That means that security depends entirely on the code (and the theory!) being correct.

So yes, when bugs in fact lead to massive amounts of money being lost... some point are going to argue that cryptocurrency may not be a good idea.

(Note: My personal opinion is mixed.)

> Zerocoin has a bug, money gets stolen, the bug is fixed.

You say this as if it isn't a big deal. Sure, the bug is fixed, but the attacker essentially stole 25% of everyone else's zcoin (via inflation), and fixing the bug doesn't bring any of it back. That seems like a big deal to me.

Actually the whole point of the distributed blockchain is that there's a very public paper trail. The only hope for anonymity is obfuscating the movement of value through the blockchain, which can be accomplished to varying degrees depending on the sophistication of who is trying to track you. If your theft is high profile enough then you'll have a good deal of trouble liquidating your funds anonymously.

it's the ultimate irony. It feels like anonymity because you decouple the "get a bunch of BTC" from "cash out to USD", so it's the worst of both worlds.

It's anonymous at first, so fraud can't easily be reversed. But it's "eventually completely public", so people who might want to use it for anonymity are sitting on a ticking time bomb. Eventually, their identities will be revealed.

Indeed, but people just don't seem to get this. As long as people are converting fiat to crypto at the front end, and then crypto back to another fiat at the back end, then there is no anonymity. There may be a lot of obfuscation in the middle, but ultimately the guy who converts back to fiat will be asked the question by his government, "Where did this money come from?" Then he needs a provable paper trail.

Maybe someday enough goods and services will be available to be purchased by cryptocurrency that fiat use will be diminished or eliminated. But at that point, the companies that are accepting cryptocurrency as payment for services will have to keep their own accounting in order to show their governments where their money is coming from. And then again the anonymity breaks down. The customer records, with email, ip, and shipping addresses are part of the audit trail.

"I found a printout of the bitcoin key."

That's how Bitcoin works, but some newer cryptocurrencies like Monero, Zerocoin, and ZCash have no such paper trail.

As others pointed out, Zerocoin intentionally provides much more anonymity than Bitcoin.

But even with Bitcoin, money laundering is much easier than it is under the regular banking system.

Yes, the security of the traditional financial system is largely based around the ability to reverse transactions.

One time I was transferring money from one of my accounts into a trading institution. Except by mistake, I was looking at one of my parents' checks instead of my own. I typed the wrong account number. Only after my parents noticed the unexplained withdrawal of a five figure sum, and called the bank to reverse it, was the mistake detected.

There is an excess of schadenfreude here, but people are only judging cryptocurrencies against their own inflated claims.

Not really sure where the "shadenfreude" comes in if ethereum was originally sold for 30 cents per ether and is now about 13 dollars an ether.

[unusual activity] leads to [bad outcome] -> Unusual activity causes problems and you smell!

[normal activity] leads to [bad outcome] -> Well you must've cocked it up.

See: vegan cooking, meat cooking

What's better that stealing magic Internet money? Creating anonymous magic Internet money out of thin air, then selling it. Brilliant.

But seriously, I'm not sure which is worse: Watching your stolen money move around the blockchain knowing you are helpless to do anything about it, or being provably unable to even tell the difference between "real" and "counterfeit" coins.

I never thought I'd see counterfeit cryptocurrency, yet here we are.

Welcome to the world of 2017, where dreams really can come true!

>Creating anonymous magic Internet money out of thin air, then selling it.

Well, not much different from what our banks do.

Blockchain and Cryptocoins will face the same fate HYIP forums / Liberty Reserves went through-regulatory enforcement and social stigmatization.

I mean sure, maybe they will. But people have been saying this for at least 6 years. When will this happen exactly, and why? Bitcoin may never achieve the status its proponents hope for, but interest from investors and the financial sector in bitcoin and it's underlying technology suggest it's unlikely to suffer this fate anytime soon.

Unlike HYIP, which are a malicious scam, and LR, which essentially only existed for money laundering and had a single point of failure, bitcoin is at least some kind of innovation.

This position isn't really better than the knee-jerk "bitcoin will replace the Federal Reserve". Both are based on feelings or ideology rather than research, and both fail to acknowledge the great uncertainty that clearly surrounds the future of bitcoin and blockchain technology.

> regulatory enforcement

The only place regulatory enforcement could hit Bitcoin is at the fiat exchanges, which are already beholden to KYC/AML.

> social stigmatization

People have already tried that; "Bitcoin is only for illegal drugs and guns!" Didn't work.

It didn't?

Have you checked the charts? Usage and price are essentially at all time highs, and are creeping higher.

People like drugs.

Or the Chinese, Venezuelans and Indians are buying BTC because either somebody else is in control of their currency or their currency is out of control.

> out of thin air

You don't understand economy.

But that's literally what happened...

That's NO different than what the "Federal reserve" does. Creates paper money out of thin air.

Considering programmers almost exclusively deal in abstract ideas, and even their manifestation is in the realm invisible to the naked eye, it's surprising how hard it appears for many to grasp concepts such as "law", "culture", or "trust".

So here we have a bunch crypto-anarchists with their usual "fiat is fiction"-spiel. Let me ask you to put your worthless paper money[0] where your mind is: I have drawn this wonderful $1 note, and will add as many zeros as you wish, giving you a 10-for-1 payout for useless US treasury fiat.

oh well. At least every time one of these great new ponzi schemes finds a new way for provable-secure technology to be insecure, we can enjoy the knowledge that another $100mill is in the hands of a more worthy owner.

[0] most of it isn't even paper, but apparently paper is a better symbol for evanescence than "electric charge" or "a linen/cotton-blend"

I think it's because it's difficult for even programmers to deeply grasp the slippery nature of the small scale abstractions we use in software projects. This is why design patterns are so easily misused. It's tricky stuff.

The large scale, society-level abstractions and shared fictions, such as money, are a whole different beast.

I don't think the principle of money is actually that difficult. We've all had that moment in middle school where we realised that money would be worthless if everyone stopped caring about it.

It's just that some people stopped running around wide-eyed telling others about this revelation a few days later.

I guess we did get lucky in that the object of obsession they chose wasn't the law. Please don't tell them that murder is only a crime because enough people believe it to be or they'll throw us all in blockchains.

> money would be worthless if everyone stopped caring about it.

Sure, on the surface this is easy to understand. But what might it look like for such a process to unfold? How do the fundamental dynamics and primary characteristics of a money system change over time, and why?

Honestly, I can't really answer those questions in any kind of sophisticated way. A lot of discussions involving the Fed and broad macroeconomic policies feel fairly hand-wavy to me.

Sure, the basics of runaway inflation caused by reckless money printing is not too hard to understand. But that's just one of many scenarios.

If everyone became a plant feeding off the sun, we won't "need" money, greatly reducing its value at least.

Well money wouldn't really work without trust. A currency without confidence is worth nothing. So if Zerocoin got hacked and someone created money out of thin air, confidence drops and zcoin is now worth less. The principle is the same as with state backed fiat.

I mean, at least they do it on purpose.

all these blockchain currencies seem to have really good bug bounty programs, this one gave out almost half a million dollars (410BTC)

Ethereum takes the record for paying out $53 million dollars (943 BTC X 53 = lots). Technically, it wasn't even theft or a bug since Ethereum & DAO proudly claimed "Code is Final Law".

I almost feel like cryptocoin and blockchains are set out to do 1 thing really well-show how superior centralized systems are and how easy it is to trick people with pseudo academic jargon-just read Vitalik's writing peppered with superficial pseudo-academia-charlatan pendant language it's zealots gladly eat up-with little to know effort to dissect and analyze fact from fiction.

While I don't feel that your argument generalizes (e.g. Bitcoin actually probably is the best extant value exchange mechanism in many ways), the whole Ethereum thing was embarrassing. People fell for the mumbo-jumbo and then the whole project rendered itself pointless by going back on its "code is law" principle.

In a way, they did actually prove that code is law - but they proved that "currently consensus-agreed-upon code is law."

That old buggy code was law until the new code became law and changed the rules :). But of course its redundant to say "current code is law" because it's obvious by the logic of how consensus works.

The confusion for people was their belief that code at one point in history would forever remain "the law".

"code is law" and "currently consensus-agreed-upon code is law" are not the same though, not even close. One allows for human intervention and the other one doesn't.

Moreover, consensus means that it's possible that >50% participants can one day to decide and take the money from the other participants. By declaring them hackers / evil / etc, for example. Which is basically what happened.

Yes, consensus does mean that the group "in power" can change the rules in ways that can harm those outside the consensus.

This is kind of scary, but on the other hand I think it won't be exercised in too strong a way - or at least in a way that harms a large number of people. The reason it won't happen is that aggressive moves that harm too many players threaten the whole game. So those in power have to consider whether their actions could ultimately undermine their own value, since the value is agreed upon by a larger market than just the people with consensus.

Now, if you have a pile of nerds with more interest in ego or "correctness" than in financial value, then wild changes can occur. I don't mean to suggest that's always a bad thing either. It's a bit like choosing when to evolve in a backward compatible way or when to make changes that are good for the long term but which annoy or frustrate some people in the short term.

For me, the takeaway of most interesting events in the blockchain world is that it's still quite young. There's a lot to learn, and it will take time to stabilize and become boring and reliable (or at least more predictable).

Most people consider ex post facto enforcement to be a trademark of a thoroughly broken legal system.

But Ethereum didn't pay out right? Didn't they fork to pull those coins back?

Yep, forked to swap the contract and survived, then survived more creative attacks for the remainder of year. Doing pretty well now.

The truth is that people always agree that there are limits to the law and that the law at some level has to be aligned with common sense and the interests of the community... except in the case when saying "LOL CODE IS LAW!" gives them an opportunity stroke their smug egos.

> how superior centralized systems are

Tell us? Because around here, I saw a huge number of bank fraud basically unpunished. "Yes those guys duplicated your SIM and stole all your funds. Too bad for you since we're not going to even try to catch them."

Centralized systems might be efficient but the rule is, they don't care about you, so it's not your problems that they're going to solve. At least I can have some faith in the code, which is the final law.

For one, a theft on banks is extremely hard and rest of the system hums along. Mt Gox and DAO however resulted in catastrophic failure where everyone was collectively punished.

On a personal level, there are good channels to get your money back where in a decentralized market, there's zero chance. It's better to have other humans keeping check on each other than code watching other code because it will not take into account the "spirit of contract".

"a theft on banks is extremely hard and rest of the system hums along. Mt Gox and DAO however resulted in catastrophic failure where everyone was collectively punished."

Not "everyone" was punished. Only users of Mt Gox. And only investors of the DAO. Also both Bitcoin and Ethereum survived these incidents very well.

With legacy financial systems (banks, cash) there are plenty of scenarios where you may never get your money back, eg.: lose your wallet/cash, 2016 Bangladesh Bank SWIFT hack where $60M was never recovered, etc.

In a centralized system, sometimes people can help you get your money back, but it is also possible that they'll help taking money away from you.

"Spirit of contract" is usually taking money from less well-connected and awarding it to more well-connected. Have zero faith in it in XXI century.

wait a sec.

Someone steals my credit card, and if I notice within 2 months, I can get everything back. Another advantage is that it doesn't take several hours (and huge amounts of wasted electricity) for a transaction to go through. My bank hasn't been siphoning my funds either. I wouldn't trust any cryptocurrency exchange with holding even 10% of my monthly salary.

Sure, governments can get my bank records. But my bank records aren't literally inscribed on a public ledger! I don't have to make a bunch of fake bank accounts to protect my privacy from the random data scientist with the blockchain, because if I use my main account and my identity gets leaked from some random service I used, then now everyone knows who I am.

It doesn't matter if they don't care about me. Nobody cares about me. But the incentives are partially aligned: systems with higher trust require less friction. And things like credit cards prove that you can build protections.

And "code is law" is not really extendable across society. We have contracts, of course. But almost all contracts include a "Use common sense"-style clause, which is the whole point lawyers and judges exist in the first place.

How can you build "force majeur" clauses into code without some third party arbitrator?

Of course, having a decentralized backbone is neat. A long time ago, anyone could make gold coins! It wasn't like some evil cabal was like "Oh, we shall unify all the currencies and CONTROL EVERYTHING!" Centralization happened because it was kinda useful.

Half of cryptocurrency stories are "techies discover why banks do the things they do". For example: I imagine more and more exchanges will partner up to do off-chain transactions. At one point, a lot of stuff will happen off-chain. Question: what do you think Visa does?

I do not see a decentralized currency ever becoming big enough to be a real fraction of economic transactions without it becoming what most of what we have. Competition is good! But I think some cryptocurrency enthusiasts are in for disappointment if they want critical mass

>And "code is law" is not really extendable across society. We have contracts, of course. But almost all contracts include a "Use common sense"-style clause, which is the whole point lawyers and judges exist in the first place.

I would characterize the development of law and contracts as something meant to protect parties from common sense. If all we needed was common sense, every contract would just say (a la Raikoth)

>In all situations, the parties will take the normatively correct action.

...and nothing else. Law is essentially shaping common sense into something predictable and useful. So, why wouldn't it be possible to take something deterministic, and shape that into something predictable and useful? It doesn't need to be perfect - it just needs to be better than what already exists.

"Someone steals my credit card, and if I notice within 2 months, I can get everything back."

No. You may still be liable for $500 if you fail to report it within 48 HOURS: http://consumer.findlaw.com/credit-banking-finance/are-you-l...

"Another advantage is that it doesn't take several hours"

You hold a common misconception of how transactions work. Bitcoin transactions are transmitted/notified instantly (like credit cards). Transactions will be confirmed and spendable by the recipient within 10min on average (with CCs it takes 1-3 days until the merchant gets the money). Finally transactions are considered irreversible/definitely non-fraudulent after 6 blocks or 60min on average (with CCs it takes 60 days since charge backs are possible for 60 days).

So if you compares apples to apples, Bitcoin is always faster than credit cards.

"huge amounts of wasted electricity"

This is not wasteful: http://blog.zorinaq.com/bitcoin-mining-is-not-wasteful/

that argument about bitcoin mining not being wasteful just shows it's not wasteful compared to other decentralized, trustless currencies. It still loses out to traditional payment methods.

"It will only use 1% of the world's electricity consumption". We can only do that for 100 things. Does "decentralisation of currency" belong in the top 100 things to devote electricity generation to?

EDIT: do you have a link to a fuller explanation about transaction speeds? I do not understand how transfers can happen so quickly without introducing a risk of double spend

Why would the argument be only valid when compared to other decentralized, trustless currencies? The benefits indirectly extracted from Bitcoin mining ($1B invested in 729 companies, thousands of jobs created, etc) exist precisely because Bitcoin has advantages over other traditional payment systems.

"Does "decentralisation of currency" belong in the top 100 things to devote electricity generation to?"

I think so. If (big if) Bitcoin ever becomes so successful that 1% of the energy is spent on it, think about the massive scale of positive social and economic changes it means it will have brought: freeing people from economic censorship and persecution, reducing international payment friction hence increasing economic trade, etc.

But I think neither you nor I can envision the scale of such potential social and economic changes. It is like asking a random person from the 1890s how much do they think automobiles will change the world, and almost nobody would have predicted automobiles are a major enabler of the economic expansion of the 20th century.

Transaction speeds: zero-conf txs are at risk of a double-spend, but in practice this happens extremely rarely.

>No. You may still be liable for $500 if you fail to report it within 48 HOURS

"may" is much different than "are". I've had it happen 3 different times and didn't realize until many days later and was never asked to pay for any of it.

Guess how much you lose if someone steals $50,000 of bitcoin from you and you don't notice for 48 hours?

>Transactions will be confirmed and spendable by the recipient within 10min on average

Almost nobody gives two shits about how long it takes for the recipient to be able to spend it in the majority of credit card transactions.

>Finally transactions are considered irreversible/definitely non-fraudulent after 6 blocks or 60min on average (with CCs it takes 60 days since charge backs are possible for 60 days).

Worse for the consumer, better for the merchant. But again, nobody cares about the merchant in these cases. Merchants already hate credit cards so you don't need to convince them. You need to convince consumers, who drove the credit card adoption in the first place.

""may" is much different than "are""

Which is why I corrected the poster who made it sound like credit cards "always" protect you, when it's not true. "Often" and "mostly", but not "always".

"Guess how much you lose if someone steals $50,000 of bitcoins"

Hardware wallets solve the theft problem. To date there have been no verifiable incidents of Bitcoins stolen from hardware wallets.

Credit cards as they are implemented will NEVER solve the theft problem without constant anti-fraud efforts. Bitcoin uses cryptography to authorize a specific transaction. Credit cards rely blindly on the merchant's good will and security to charge for the right amount and to prevent the CC info from being stolen. The more you transact the more merchants the CC info circulate through, and the higher the risk of fraud. Which is why CC fraud has been rising and rising for many years.

"Almost nobody gives two shits about how long it takes"

Listen, I was just pointing out people who say "CCs transactions are quicker than Bitcoin transactions" are wrong. Accepting a zero-conf Bitcoin transaction is similar ("as risky as") accepting a CC transaction after swiping/chip-and-pin. Therefore that's what should be compared, and both Bitcoin and CC transactions are just as fast as each other (seconds).

I actually agree that the immutability of a Bitcoin transaction is a negative for the consumer. (But I don't think it is a cons big enough to seriously hamper Bitcoin's adoption.)

>Which is why I corrected the poster who made it sound like credit cards "always" protect you, when it's not true. "Often" and "mostly", but not "always".

This is a distinction irrelevant in the real world where the status quo (at least in the US) is that companies protect you. Bitcoin has to compete with what exists, not a potential strawman based on what the laws say.

>Hardware wallets solve the theft problem. To date there have been no verifiable incidents of Bitcoins stolen from hardware wallets.

Can hardware wallets be stolen? If so, you just lost $50k regardless of the attacker gaining access to it. If not, it means you have keys backed up somewhere that can be stolen.

>>"Almost nobody gives two shits about how long it takes"

>Listen, I was just pointing out people who say "CCs transactions are quicker than Bitcoin transactions" are wrong.

Don't quote out of context. The rest of my sentence clearly shows I'm referring to the speed for the consumer. From a consumer perspective, the transaction is done right when the credit card machine returns (a.k.a within seconds).

>Accepting a zero-conf Bitcoin transaction is similar ("as risky as") accepting a CC transaction after swiping/chip-and-pin.

No it's not. A zero-conf transaction someone can double-spend against and the merchant has no recourse and the consumer has no risk. Merchants will be forced to wait for confirmation unless they have other leverage against the consumer to use on bad behavior.

In CC transactions, the risk to the merchant is a chargeback. A consumer can only lie about these a few times in their life before they get caught by a combination of the credit card company and a merchant and they will be arrested for credit card fraud.

Until the government steps in and writes laws making double-spending fraud, CC will be safe than zero-conf transactions.

Someone steals the control of your banking account, they take everything and there's no way of getting those money back.

Credit cards are peculiar in this regard.

I am not 100% sure, but my understanding is that the bank is liable for those losses unless they can prove gross negligence on your part. I've heard that legal argument, at least. [0]

Though this is not worse from your cryptocurrency. If they get a hold of your private keys, you lose everything. At least in the classical banking system you have some legal recourse.

[0]: I might just be thinking of this comedy sketch though: https://www.youtube.com/watch?v=CS9ptA3Ya9E

"they get a hold of your private keys, you lose everything."

Hardware wallets solve this (Trezor, Keepkey, etc.) This makes Bitcoin more secure than cash. Most people accept the (imperfect) level of security of cash, so they would be OK with the higher level of security of hw wallets.

They would be okay with higher security, but not higher risk of it breaking. Cash doesn't rely on advanced circuitry so I don't have to risk losing $50,000 because of some static electricity.

Hardware wallets can be backed up. You can even have 2 hardware wallets using the same cryptographic seed and both able to spend the same BTC. You won't lose any BTC if a wallet gets destroyed.

Serious question: if you're using a hardware wallet, can people accept payment from you without worrying about double spends?

How is it any different compared to software wallet?

Your private keys have limited attack surface, especially if they're in cold storage.

However, your banking account has unlimited attack surface. It's on some remote information system that you do not control and never will. As I already said, I'm not a big believer in "legal recourse", it's as well to be used to take money from you as to return them back.

Maybe if you have a business account, but not if you are a regular person. Regulation E https://en.wikipedia.org/wiki/Electronic_Fund_Transfer_Act requires banks to refund "EFT errors" and fraudulent transactions.

Code is law until well connected people need a bailout

Law is code until well connected people need a bailout.

At least in the US, you cannot lose much money because of fraudulent electronic funds transfers, unless you ignore the fraud for more than sixty days. https://www.federalreserve.gov/boarddocs/supmanual/cch/efta.... See section V "Consumer Liability and Error Resolution."

Seriously though, anyone who could find a serious bug in Bitcoin could cash in.

what went wrong: TLDR probably Ctrl-C,Ctrl-V.

(Just to be clear, this is about Zcoin, not Zcash/Zerocash. The two are completely different)

The fix is here. https://github.com/zcoinofficial/zcoin/commit/33796c839f7d4d... What happened?

First, some stylized facts about ZCoin:

0) ZCoin is a fork of Bitcoin that uses a 4 year old academic research library, libzerocoin, to make anonymous payments using the Zerocoin protocol.

1) Unlike Zcash/Zerocash, the Zerocoin protocol has only fixed value coins.

2) To get multiple denominations, you have completely separate instances of the anonymous currency that just happen to live on the same blockchain as the other denominations.

3) Zerocoin has its own bitcoin like non anonymous base currency. Call it basecoin.

4) You spend basecoins to get zerocoins.

5) When you spend zerocoins, you get basecoins.

6) ZQ_WILLIAMSON and ZQ_PEDERSEN are denominations, worth 100 and 50 respectively, defined in libzerocoin.

So what went wrong?

When you convert a zerocoin into 100 basecoin, the ZCoin code forked from bitcoin checked if the coin was a valid instance of ZQ_PEDERSEN (worth 50 ) not ZQ_WILLIAMSON (worth 100). So you paid 50 for the zcoin,got it into the instance for ZQ_PEDERSEN, but got back 100. Free money.

Why did this happen? Well, it looks like in order to support the multiple denominations libzerocoin offers, the ZCoin developers wrote some code for one denomination and then duplicated it for each remaining denomination. There are five in total, ZQ_LOVELACE=1,ZQ_GOLDWASSER=10, ZQ_RACKOFF = 25, ZQ_PEDERSEN = 50,ZQ_WILLIAMSON = 100.

But on the last one, ZQ_PEDERSEN was not changed to ZQ_WILLIAMSON in a few places. This caused the bug.

Caveat: I have nothing to do with ZCoin. However, I am an author of the zerocoin protocol, libzerocoin, the zerocash protocol, and am involved with Zcash.

Just to clarify, the code that was duplicated per denomination is not part of libzerocoin itself, it's in main.cpp. I'm not sure who wrote it; it may or may not have been part of the academic prototype Ian refers to. In any case, this amount of duplication (in security-critical code, no less) should never have passed the necessary code review to release a cryptocurrency. Also note that there are still unexplained differences between the copied code branches after the security fix.

(In contrast, Zcash did have duplicated code in the prototype we inherited, but we rewrote that entirely well before the Zcash launch.)

[Edit: I confirmed that the duplicated validation code in main.cpp was not present in libzerocoin. Some of the code in main.cpp including some stale comments, appears to have been pasted from https://github.com/Zerocoin/libzerocoin/blob/master/Tutorial... , but that tutorial code does not have the bug. So it appears that it was introduced by the Moneta/Zcoin developers.]

Disclosure of interest: I am a Zcash developer.

Any idea why they would describe the code error as "a single additional character in code"? It looks like about 10 characters or so based on your link. There are also some other code changes associated with that commit

I think the single character fix is this [1], GP seems to be describing [2].

[1] https://github.com/zcoinofficial/zcoin/commit/b20c177032de3c...

[2] https://github.com/zcoinofficial/zcoin/commit/33796c839f7d4d...

That is a one character change. And it is labeled "urgent fix". So it's certainly possible.

But that change appears to do exactly what the variable name suggests setting it to zero would to : stop zcoin tx's from being included in a block.

That strongly suggests someone attempted to fix the issue by simply disabled all private transactions.

I have no idea. If you can find a single character edit in the commit history, I will look at it.

But this certainly is a bug. And it would allow you to steal funds.

Another major bug caused by copy+paste. I seem to remember a security researcher article months (years?) ago that identified this theme, showed a way to grep a codebase for likely c+p errors and found a load of bugs in real production code that had remained hidden for years. I think I landed there from HN, but my google-fu is failing me now, can anyone else remember it?

Probably not what you mean, but this (https://news.ycombinator.com/item?id=12853211) submission about the PVS-Studio static analyzer also shows a bunch of copy+paste errors being found.


How would you minimize these type of errors by design or best practice?

I guess languages with a lack of higher order abstractions and no strong type system might be more prone to this type of errors.

This isn't a subtle or difficult-to-find case. It's a case of "why the heck would anyone write code like that, in any language, in the first place?" The only language-level abstraction needed to avoid this particular kind of duplicated code, is a loop.

I want to know..

I went looking for this again today. It's not the article I was talking about, but you might find this interesting:


Anyone know which line of code they're talking about?

I took a glance at their Github bug tracker and couldn't find any references to this bug.

[0] https://github.com/zcoinofficial/zcoin/issues?q=is%3Aissue+i...

Better look at commits.

I am not familiar with their code base, but latest commit seems like a bugfix: https://github.com/zcoinofficial/zcoin/commit/33796c839f7d4d...

So... were's a unit test to make sure this never happens again?

I rather actually see a real comment if there is no time to create a unit test.

Why does changing ZQ_PEDERSEN to ZQ_WILLIAMSON fix the bug?

Having meaningful named constants would make much more sense.

Edit: On full view of the code, the bug could be avoid if they broke out the if <demoninationX> blocks into their own function, and to prevent "typo" errors, it would be good to have a local variable named current_demoniation = demoniationX, and then reference that local variable instead of referencing the constant everytime.

Apparently those are names for 50 and 100 BTC.

From this presentation[1] or the source code[2]:

    1 Lovelace = 1 Bitcoin
    1 Goldwasser = 10 Bitcoin
    1 Rackoff = 25 Bitcoin
    1 Pedersen = 50 Bitcoin
    1 Williamson = 100 Bitcoin
But yes, those are meaningless names in themselves. Metric prefixes like "hectobitcoin" would be better.

[1]: https://sar.informatik.hu-berlin.de/teaching/2013-w/2013-w%2... [2]: https://github.com/Zerocoin/libzerocoin/blob/master/Coin.h#L...

Actually I think this might have been the fix.


Nope this -- 4 commits later, and 12 minutes ago at this time.


Looks like they replaced a 50 with a 100.

> We have identified the error and are pushing the fix urgently within the next 24 hours.

They didn't fix it, yet.

> A typographical error on a single additional character in code

Really wonder what this was.

== vs = perhaps?

Yeah that seems quite possible.

(And people mock me for putting constants first! i.e. if (someconstant == somevar) { ...

[edit: nope, looks like this is it]


No, that is not the bug. See Ian Miers' comments.

Exploiting such a tiny bug is damn impressive if you ask me. The bloke who pulled this off deserves the cash.

Unless the "bug" was inserted by a developer...

I'm really curious to see the "single character" in question and assess whether it might have been intentional.

>trading will resume once pools and exchanges have had time to update their code. A new release will be pushed out pretty soon.

Does this imply this company has the power to stop all trading on the currency? If so, why would anyone ever want to use this?

No, it implies they can nicely ask the exchanges to stop all trading, and the exchanges can make that decision or not.

> Prior to this announcement we had disclosed the hack to the exchanges for them to assist in our investigations.

No, but it does sound like they disclosed the vuln to exchanges before announcing so that trading could be halted and patches applied.

Finally money can have bugs.

So who eats the loss for this?

Every owner eats a tiny bit of it with the downward pressure on value caused by the artificially increased supply. Also, decreased trust reduces demand pressure further lowering value for everyone.

It's not really a tiny bit... ~30% of the networks value was fabricated.

And every coin owner took a tiny bit of that loss.

I wouldn't call 30% a tiny bit. The presence of 30% more coins robbed everyone 30% the value of their holdings via dilution.

The currency is down more than 12%.

So they've made 18% value huh?

"In a decentralized economy, one person's mistake must be distributed to the collective."

Hackers rob the mortgage downpayment you made with Bitcoin, said platform gives everybody an haircut because platform provider won't take responsibility and claim it's the cost of decentralization without really understanding the responsibility of the platform still falls upon the main facilitator.

What a great new thing decentralized economy is, everyone will be dying to get in on the action!

If estimates are accurate that 25% of all Zerocoins in existence were artificially (I mean, even _more_ artificially) fabricated, then that dilutes the value of everyone else's legit coins by about 33%.

Hearing the 410BTC value estimate of those 25% is a bit surprising. I wouldn't have imagined them having such market capitalization so quickly.

Hmm, I know about Zcash and Monero, but I haven't read much about Zerocoin. I'll be staying away, especially after a 410 BTC hack. They even cited the ability to detect hacks like this as a key advantage over Zcash.


That's the point. ZCash could have a bug if the same magnitude, and we'd be none the wiser.

They did detect the hack.

Applications are open for YC Summer 2019

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact